我似乎遇到了某些我无法解决的openssl /证书问题。使用wget 'http://www.youtube.com'给出了以下证书错误(其他网站,如亚马逊和谷歌工作):
--2015-05-07 11:10:26-- http://www.youtube.com/
Resolving www.youtube.com... 74.125.239.102, 74.125.239.98, 74.125.239.101, ...
Connecting to www.youtube.com|74.125.239.102|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.youtube.com/ [following]
--2015-05-07 11:10:26-- https://www.youtube.com/
Connecting to www.youtube.com|74.125.239.102|:443... connected.
ERROR: cannot verify www.youtube.com's certificate, issued by 'CN=Google Internet Authority G2,O=Google Inc,C=US':
Unable to locally verify the issuer's authority.
To connect to www.youtube.com insecurely, use '--no-check-certificate'.
首先我尝试用
重新安装openssl
~ > brew uninstall openssl
~ > brew install openssl
没有改变。
我尝试了/usr/local/opt/openssl/bin/openssl s_client -connect youtube.com:443 -CAfile /usr/local/etc/openssl/cert.pem,但这继续给我一个Verify return code: 20 (unable to get local issuer certificate)完整输出:
testenv3 > /usr/local/opt/openssl/bin/openssl s_client -connect youtube.com:443 -CAfile /usr/local/etc/openssl/cert.pem
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHgzCCBmugAwIBAgIILW9oBp50RiIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNDIyMTMyMTQwWhcNMTUwNzIxMDAwMDAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgDJKgSnX
rfthwCCB0gc5KDN02J+Uj2xgKeFusyLnCtCv/QYKJjXDXYceViX9aF+GSFZZe1GK
uNP0qYh8/v31zTz0SE5UaQyn9uqz33wwU43Af94J5nnjA6PCZrNnHzhOaDputEgO
y3UwEPSgatVhcVEgdqXeisQOnG7SpRuzfMs/HEsiSmc784+rSBAZKktspXDdh9BK
B84vT7MqdJQKYdqENyqzdnJiqqNieXlcVYDcCVqf/VqoS2zmq1UaZuhBBhi+Q8ef
C5XmniLVKnmAtRktwux1khRV4W1axoEShipaolhww8X2FyiYou0/IUUGRRMOfzwD
5myRr2feJkOFAwIDAQABo4IEUDCCBEwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIIDJgYDVR0RBIIDHTCCAxmCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBp
cy5jb22CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESou
Z29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CCiou
Z3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVy
Y2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5j
b22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRp
bWcuY29tggthbmRyb2lkLmNvbYIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0
aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tggp1cmNoaW4u
Y29tggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
MGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUu
Y29tL0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2ds
ZS5jb20vb2NzcDAdBgNVHQ4EFgQUiM602EJkc9+TR6CsmcXD7cBI35YwDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAE
EDAOMAwGCisGAQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5n
b29nbGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAUi0NYc8EEax2
6DpqB9ZWYQTbgmIADA2ksPZtJ1MUJXbENoUlILIcv4qFgoPXqZPDLhuBZ+aJmfXL
3H4Z4piBAZC11nGioZaubKxqYa/ujKgmnjYeGaFGPWocYZOw2RmZwp/RLaMP64JH
Y6QgyEZlbX//lV6e4PjFSnr0y90Ksrl1PsvwUFV8dTfhI079OXtqD6sqEEf+uRao
7HHH50ZKGkb1Aa5e8xXx9DOo6siyAEVRGb1+uxnGsPZW2v3UmNPXmp5YdKmPifxT
5lGe54TepRde2y+UvsyeFAjroSnm10fnkj777peFg/sK3Gs1tAbNgw6SDOPVnvBz
q59oNKUisw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4500 bytes and written 474 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: BE12D954ABDF74775FCCDBD467C6494D2F5F93FC5C582F6086B42CB7F5A3C5CD
Session-ID-ctx:
Master-Key: 57AB75014EBE5C3CF5B617033D2EAFCA29780953F00FAE65C7BA9945202474717AA713F7E79B51C88007DE2A88559F62
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 6e 35 b6 f5 87 7f fc 8c-bd 57 35 a3 b9 89 15 4d n5.......W5....M
0010 - fe 9b d1 cf 05 7e b1 46-66 06 83 cd 83 ec ea f7 .....~.Ff.......
0020 - 3f 2a a5 56 97 b3 76 c1-0d eb a4 d4 57 fd bb 23 ?*.V..v.....W..#
0030 - a6 5a ea 63 17 cd 8d 47-f1 80 a5 d9 c8 74 d7 0f .Z.c...G.....t..
0040 - b2 f7 63 5a 9a fd 0f 2f-3d 95 96 07 54 89 51 cf ..cZ.../=...T.Q.
0050 - 7b d2 79 3f 9b ff 14 ed-af d8 cf dd 29 bd de 3d {.y?........)..=
0060 - 70 c1 ff 6b 5d d3 78 a7-62 f4 df 25 05 be 2c 94 p..k].x.b..%..,.
0070 - 96 20 54 a2 70 8d 25 5c-75 93 ab f1 0b 1a 2a 29 . T.p.%\u.....*)
0080 - 5b 1c 2c fb 64 80 73 84-c7 0a 27 f9 57 39 d0 81 [.,.d.s...'.W9..
0090 - df dd 17 ff 3e 0a 37 5e-32 d3 8b 65 49 6f a4 e9 ....>.7^2..eIo..
00a0 - cf 01 76 3b ..v;
Start Time: 1430847495
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
我也尝试了echo | openssl s_client -connect youtube.com:443,这是输出:
(testenv3)testenv3 > echo | openssl s_client -connect youtube.com:443
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHgzCCBmugAwIBAgIILW9oBp50RiIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNDIyMTMyMTQwWhcNMTUwNzIxMDAwMDAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgDJKgSnX
rfthwCCB0gc5KDN02J+Uj2xgKeFusyLnCtCv/QYKJjXDXYceViX9aF+GSFZZe1GK
uNP0qYh8/v31zTz0SE5UaQyn9uqz33wwU43Af94J5nnjA6PCZrNnHzhOaDputEgO
y3UwEPSgatVhcVEgdqXeisQOnG7SpRuzfMs/HEsiSmc784+rSBAZKktspXDdh9BK
B84vT7MqdJQKYdqENyqzdnJiqqNieXlcVYDcCVqf/VqoS2zmq1UaZuhBBhi+Q8ef
C5XmniLVKnmAtRktwux1khRV4W1axoEShipaolhww8X2FyiYou0/IUUGRRMOfzwD
5myRr2feJkOFAwIDAQABo4IEUDCCBEwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIIDJgYDVR0RBIIDHTCCAxmCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBp
cy5jb22CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESou
Z29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CCiou
Z3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVy
Y2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5j
b22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRp
bWcuY29tggthbmRyb2lkLmNvbYIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0
aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tggp1cmNoaW4u
Y29tggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
MGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUu
Y29tL0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2ds
ZS5jb20vb2NzcDAdBgNVHQ4EFgQUiM602EJkc9+TR6CsmcXD7cBI35YwDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAE
EDAOMAwGCisGAQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5n
b29nbGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAUi0NYc8EEax2
6DpqB9ZWYQTbgmIADA2ksPZtJ1MUJXbENoUlILIcv4qFgoPXqZPDLhuBZ+aJmfXL
3H4Z4piBAZC11nGioZaubKxqYa/ujKgmnjYeGaFGPWocYZOw2RmZwp/RLaMP64JH
Y6QgyEZlbX//lV6e4PjFSnr0y90Ksrl1PsvwUFV8dTfhI079OXtqD6sqEEf+uRao
7HHH50ZKGkb1Aa5e8xXx9DOo6siyAEVRGb1+uxnGsPZW2v3UmNPXmp5YdKmPifxT
5lGe54TepRde2y+UvsyeFAjroSnm10fnkj777peFg/sK3Gs1tAbNgw6SDOPVnvBz
q59oNKUisw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3999 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 10775C02A73AB2D86F618C26491521BAC0EF8FAB670C7BEFC7F1FAA223064A57
Session-ID-ctx:
Master-Key: B7D9845159D987F16A7E1A847C049E1E2A703590C4846731ACCB12B34A5056900BAFEF75A461E999A786B258C12E87AC
Key-Arg : None
Start Time: 1430785075
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
我不知道从这里做了什么,我对openssl和证书几乎没有理解。我究竟需要做些什么才能解决这个问题?